Methods and systems for generating probabilistically searchable messages

ABSTRACT

A computer-implemented method for generating probabilistically searchable messages includes obtaining, by a computing device, a textual message. The method includes extracting, by the computing device, from the textual message, a plurality of words. The method includes cryptographically hashing, by the computing device, each word of the plurality of words. The method includes mapping, by the computing device, each cryptographically hashed word to a plurality of tokens. The method includes generating, by the computing device, a set of tokens associated with the textual message, the set of tokens including each plurality of tokens associated with each cryptographically hashed word. The method includes storing, by the computing device, the set of tokens associated with the textual message in metadata associated with the textual message.

CROSS-REFERENCE TO RELATED APPLICATIONS

The application is a continuation of U.S. patent application Ser. No.15/073,933, filed on Mar. 18, 2016, entitled “Methods and Systems forGenerating Probabilistically Searchable Messages,” which itself claimspriority from U.S. Provisional Patent Application Ser. No. 62/136,937,filed on Mar. 23, 2015, entitled “Methods and Systems for GeneratingProbabilistically Searchable Messages,” which is hereby incorporated byreference.

BACKGROUND

The disclosure relates to privacy-preserving search techniques. Moreparticularly, the methods and systems described herein relate togenerating probabilistically searchable messages.

Electronically conveyed messages, such as email messages, can furnish aconvenient means of communication, but they also give rise to securityconcerns. If transmitted according to conventional protocols, suchmessages may be readily examined by intercepting third parties or minedfor advertisement purposes by email services. Encrypting messagesprevents unwanted parties from reading them, but typically decreases theconvenience of using the messages as a result. In particular, whileelectronic messages are typically searchable, encrypted messagestypically are not; the service provider that performs the searchescannot index encrypted messages because the message contents areobfuscated.

BRIEF SUMMARY

In one aspect, a computer-implemented method for generatingprobabilistically searchable messages includes obtaining, by a computingdevice, a textual message. The method includes extracting, by thecomputing device, from the textual message, a plurality of words. Themethod includes cryptographically hashing, by the computing device, eachword of the plurality of words. The method includes mapping, by thecomputing device, each cryptographically hashed word to a plurality oftokens. The method includes generating, by the computing device, a setof tokens associated with the textual message, the set of tokensincluding each plurality of tokens associated with eachcryptographically hashed word. The method includes storing, by thecomputing device, the set of tokens associated with the textual messagein metadata associated with the textual message.

In one aspect, a computer-implemented method for searchingprobabilistically searchable messages includes obtaining, by a computingdevice, from a user, a textual query. The method includes extracting, bythe computing device, from the textual query, at least one word. Themethod includes cryptographically hashing, by the computing device, theat least one word. The method includes mapping, by the computing device,the cryptographically hashed at least one word to a plurality of tokens.The method includes generating, by the computing device, a set of tokensassociated with the textual query, the set of tokens including eachplurality of tokens associated with each cryptographically hashed word.The method includes receiving, by the computing device, from a searchengine, at least one textual message including metadata comprising theset of tokens.

BRIEF DESCRIPTION OF THE DRAWINGS

The foregoing and other objects, aspects, features, and advantages ofthe disclosure will become more apparent and better understood byreferring to the following description taken in conjunction with theaccompanying drawings, in which:

FIGS. 1A-1C are block diagrams depicting embodiments of computers usefulin connection with the methods and systems described herein;

FIG. 2A is a block diagram depicting one embodiment of a system forgenerating probabilistically searchable messages;

FIG. 2B is a block diagram illustrating an exemplary embodiment of aBloom filter;

FIG. 2C is a block diagram illustrating an exemplary embodiment of aBloom filter;

FIG. 3A is a flow diagram depicting an embodiment of a method forgenerating probabilistically searchable messages;

FIG. 3B is a screenshot of a textual message for to be tokenizedaccording to some embodiments of a method for generatingprobabilistically searchable messages;

FIG. 3C is a block diagram describing an embodiment of a method forgenerating probabilistically searchable messages;

FIG. 3D is a screenshot depicting an embodiment of a textual messagewith embedded search tokens; and

FIG. 4 is a flow diagram depicting an embodiment of a method forsearching probabilistically searchable messages.

DETAILED DESCRIPTION

In some embodiments, the methods and systems described herein relate togenerating and searching probabilistically searchable messages. Beforedescribing such methods and systems in detail, however, a description isprovided of a network in which such methods and systems may beimplemented.

Referring now to FIG. 1A, an embodiment of a network environment isdepicted. In brief overview, the network environment comprises one ormore clients 102 a-102 n (also generally referred to as local machine(s)102, client(s) 102, client node(s) 102, client machine(s) 102, clientcomputer(s) 102, client device(s) 102, computing device(s) 102,endpoint(s) 102, or endpoint node(s) 102) in communication with one ormore remote machines 106 a-106 n (also generally referred to asserver(s) 106 or computing device(s) 106) via one or more networks 104.

Although FIG. 1A shows a network 104 between the clients 102 and theremote machines 106, the clients 102 and the remote machines 106 may beon the same network 104. The network 104 can be a local-area network(LAN), such as a company Intranet, a metropolitan area network (MAN), ora wide area network (WAN), such as the Internet or the World Wide Web.In some embodiments, there are multiple networks 104 between the clients102 and the remote machines 106. In one of these embodiments, a network104′ (not shown) may be a private network and a network 104 may be apublic network. In another of these embodiments, a network 104 may be aprivate network and a network 104′ a public network. In still anotherembodiment, networks 104 and 104′ may both be private networks.

The network 104 may be any type and/or form of network and may includeany of the following: a point to point network, a broadcast network, awide area network, a local area network, a telecommunications network, adata communication network, a computer network, an ATM (AsynchronousTransfer Mode) network, a SONET (Synchronous Optical Network) network,an SDH (Synchronous Digital Hierarchy) network, a wireless network, anda wireline network. In some embodiments, the network 104 may comprise awireless link, such as an infrared channel or satellite band. Thetopology of the network 104 may be a bus, star, or ring networktopology. The network 104 may be of any such network topology as knownto those ordinarily skilled in the art capable of supporting theoperations described herein. The network may comprise mobile telephonenetworks utilizing any protocol or protocols used to communicate amongmobile devices, including AMPS, TDMA, CDMA, GSM, GPRS, or UMTS. In someembodiments, different types of data may be transmitted via differentprotocols. In other embodiments, the same types of data may betransmitted via different protocols.

A client 102 and a remote machine 106 (referred to generally ascomputing devices 100) can be any workstation, desktop computer, laptopor notebook computer, server, portable computer, mobile telephone orother portable telecommunication device, media playing device, a gamingsystem, mobile computing device, or any other type and/or form ofcomputing, telecommunications or media device that is capable ofcommunicating on any type and form of network and that has sufficientprocessor power and memory capacity to perform the operations describedherein. A client 102 may execute, operate or otherwise provide anapplication, which can be any type and/or form of software, program, orexecutable instructions, including, without limitation, any type and/orform of web browser, web-based client, client-server application, anActiveX control, or JAVA applet, or any other type and/or form ofexecutable instructions capable of executing on client 102.

In one embodiment, a computing device 106 provides functionality of aweb server. In some embodiments, a web server 106 comprises anopen-source web server, such as the APACHE servers maintained by theApache Software Foundation of Delaware. In other embodiments, the webserver executes proprietary software, such as the INTERNET INFORMATIONSERVICES products provided by Microsoft Corporation of Redmond, Wash.;the ORACLE IPLANET web server products provided by Oracle Corporation ofRedwood Shores, Calif.; or the BEA WEBLOGIC products provided by BEASystems of Santa Clara, Calif.

In some embodiments, the system may include multiple, logically-groupedremote machines 106. In one of these embodiments, the logical group ofremote machines may be referred to as a server farm 38. In another ofthese embodiments, the server farm 38 may be administered as a singleentity.

FIGS. 1B and 1C depict block diagrams of a computing device 100 usefulfor practicing an embodiment of the client 102 or a remote machine 106.As shown in FIGS. 1B and 1C, each computing device 100 includes acentral processing unit 121, and a main memory unit 122. As shown inFIG. 1B, a computing device 100 may include a storage device 128, aninstallation device 116, a network interface 118, an I/O controller 123,display devices 124 a-n, a keyboard 126, a pointing device 127, such asa mouse, and one or more other I/O devices 130 a-n. The storage device128 may include, without limitation, an operating system and software.As shown in FIG. 1C, each computing device 100 may also includeadditional optional elements, such as a memory port 103, a bridge 170,one or more input/output devices 130 a-130 n (generally referred tousing reference numeral 130), and a cache memory 140 in communicationwith the central processing unit 121.

The central processing unit 121 is any logic circuitry that responds toand processes instructions fetched from the main memory unit 122. Inmany embodiments, the central processing unit 121 is provided by amicroprocessor unit such as: those manufactured by Intel Corporation ofMountain View, Calif.; those manufactured by Motorola Corporation ofSchaumburg, Ill.; those manufactured by Transmeta Corporation of SantaClara, Calif.; those manufactured by International Business Machines ofWhite Plains, N.Y.; or those manufactured by Advanced Micro Devices ofSunnyvale, Calif. The computing device 100 may be based on any of theseprocessors, or any other processor capable of operating as describedherein.

Main memory unit 122 may be one or more memory chips capable of storingdata and allowing any storage location to be directly accessed by themicroprocessor 121. The main memory 122 may be based on any availablememory chips capable of operating as described herein. In the embodimentshown in FIG. 1B, the processor 121 communicates with main memory 122via a system bus 150. FIG. 1C depicts an embodiment of a computingdevice 100 in which the processor communicates directly with main memory122 via a memory port 103. FIG. 1C also depicts an embodiment in whichthe main processor 121 communicates directly with cache memory 140 via asecondary bus, sometimes referred to as a backside bus. In otherembodiments, the main processor 121 communicates with cache memory 140using the system bus 150.

In the embodiment shown in FIG. 1B, the processor 121 communicates withvarious I/O devices 130 via a local system bus 150. Various buses may beused to connect the central processing unit 121 to any of the I/Odevices 130, including a VESA VL bus, an ISA bus, an EISA bus, aMicroChannel Architecture (MCA) bus, a PCI bus, a PCI-X bus, aPCI-Express bus, or a NuBus. For embodiments in which the I/O device isa video display 124, the processor 121 may use an Advanced Graphics Port(AGP) to communicate with the display 124. FIG. 1C depicts an embodimentof a computer 100 in which the main processor 121 also communicatesdirectly with an I/O device 130 b via, for example, HYPERTRANSPORT,RAPIDIO, or INFINIBAND communications technology.

A wide variety of I/O devices 130 a-130 n may be present in thecomputing device 100. Input devices include keyboards, mice, trackpads,trackballs, microphones, scanners, cameras, and drawing tablets. Outputdevices include video displays, speakers, inkjet printers, laserprinters, and dye-sublimation printers. The I/O devices may becontrolled by an I/O controller 123 as shown in FIG. 1B. Furthermore, anI/O device may also provide storage and/or an installation medium 116for the computing device 100. In some embodiments, the computing device100 may provide USB connections (not shown) to receive handheld USBstorage devices such as the USB Flash Drive line of devices manufacturedby Twintech Industry, Inc. of Los Alamitos, Calif.

Referring still to FIG. 1B, the computing device 100 may support anysuitable installation device 116, such as a floppy disk drive forreceiving floppy disks such as 3.5-inch disks, 5.25-inch disks or ZIPdisks, a CD-ROM drive, a CD-R/RW drive, a DVD-ROM drive, tape drives ofvarious formats, USB device, hard-drive or any other device suitable forinstalling software and programs. The computing device 100 may furthercomprise a storage device, such as one or more hard disk drives orredundant arrays of independent disks, for storing an operating systemand other software.

Furthermore, the computing device 100 may include a network interface118 to interface to the network 104 through a variety of connectionsincluding, but not limited to, standard telephone lines, LAN or WANlinks (e.g., 802.11, T1, T3, 56 kb, X.25, SNA, DECNET), broadbandconnections (e.g., ISDN, Frame Relay, ATM, Gigabit Ethernet,Ethernet-over-SONET), wireless connections, or some combination of anyor all of the above. Connections can be established using a variety ofcommunication protocols (e.g., TCP/IP, IPX, SPX, NetBIOS, Ethernet,ARCNET, SONET, SDH, Fiber Distributed Data Interface (FDDI), RS232, IEEE802.11, IEEE 802.11a, IEEE 802.11b, IEEE 802.11g, IEEE 802.11n, CDMA,GSM, WiMax, and direct asynchronous connections). In one embodiment, thecomputing device 100 communicates with other computing devices 100′ viaany type and/or form of gateway or tunneling protocol such as SecureSocket Layer (SSL) or Transport Layer Security (TLS). The networkinterface 118 may comprise a built-in network adapter, network interfacecard, PCMCIA network card, card bus network adapter, wireless networkadapter, USB network adapter, modem, or any other device suitable forinterfacing the computing device 100 to any type of network capable ofcommunication and performing the operations described herein.

In some embodiments, the computing device 100 may comprise or beconnected to multiple display devices 124 a-124 n, of which each may beof the same or different type and/or form. As such, any of the I/Odevices 130 a-130 n and/or the I/O controller 123 may comprise any typeand/or form of suitable hardware, software, or combination of hardwareand software to support, enable or provide for the connection and use ofmultiple display devices 124 a-124 n by the computing device 100. Oneordinarily skilled in the art will recognize and appreciate the variousways and embodiments that a computing device 100 may be configured tohave multiple display devices 124 a-124 n.

In further embodiments, an I/O device 130 may be a bridge between thesystem bus 150 and an external communication bus, such as a USB bus, anApple Desktop Bus, an RS-232 serial connection, a SCSI bus, a FireWirebus, a FireWire 800 bus, an Ethernet bus, an AppleTalk bus, a GigabitEthernet bus, an Asynchronous Transfer Mode bus, a HIPPI bus, a SuperHIPPI bus, a SerialPlus bus, a SCI/LAMP bus, a FibreChannel bus, or aSerial Attached small computer system interface bus.

A computing device 100 of the sort depicted in FIGS. 1B and 1C typicallyoperates under the control of operating systems, which controlscheduling of tasks and access to system resources. The computing device100 can be running any operating system such as any of the versions ofthe MICROSOFT WINDOWS operating systems, the different releases of theUNIX and LINUX operating systems, any version of the MAC OS forMacintosh computers, any embedded operating system, any real-timeoperating system, any open source operating system, any proprietaryoperating system, any operating systems for mobile computing devices, orany other operating system capable of running on the computing deviceand performing the operations described herein. Typical operatingsystems include, but are not limited to: WINDOWS 3.x, WINDOWS 95,WINDOWS 98, WINDOWS 2000, WINDOWS NT 3.51, WINDOWS NT 4.0, WINDOWS CE,WINDOWS XP, WINDOWS 7, and WINDOWS VISTA, all of which are manufacturedby Microsoft Corporation of Redmond, Wash.; MAC OS manufactured by AppleInc. of Cupertino, Calif.; OS/2 manufactured by International BusinessMachines of Armonk, N.Y.; and LINUX, a freely-available operating systemdistributed by Caldera Corp. of Salt Lake City, Utah, or any type and/orform of a UNIX operating system, among others.

The computing device 100 can be any workstation, desktop computer,laptop or notebook computer, server, portable computer, mobile telephoneor other portable telecommunication device, media playing device, agaming system, mobile computing device, or any other type and/or form ofcomputing, telecommunications or media device that is capable ofcommunication and that has sufficient processor power and memorycapacity to perform the operations described herein. In someembodiments, the computing device 100 may have different processors,operating systems, and input devices consistent with the device. Inother embodiments the computing device 100 is a mobile device, such as aJAVA-enabled cellular telephone or personal digital assistant (PDA). Thecomputing device 100 may be a mobile device such as those manufactured,by way of example and without limitation, by Motorola Corp. ofSchaumburg, Ill., USA; Kyocera of Kyoto, Japan; Samsung Electronics Co.,Ltd. of Seoul, Korea; Nokia of Finland; Hewlett-Packard DevelopmentCompany, L.P. and/or Palm, Inc. of Sunnyvale, Calif., USA; Sony EricssonMobile Communications AB of Lund, Sweden; or Research In Motion Limited,of Waterloo, Ontario, Canada. In yet other embodiments, the computingdevice 100 is a smart phone, POCKET PC, POCKET PC PHONE, or otherportable mobile device supporting Microsoft Windows Mobile Software.

In some embodiments, the computing device 100 is a digital audio player.In one of these embodiments, the computing device 100 is a digital audioplayer such as the Apple IPOD, IPOD Touch, IPOD NANO, and IPOD SHUFFLElines of devices, manufactured by Apple Inc. of Cupertino, Calif. Inanother of these embodiments, the digital audio player may function asboth a portable media player and as a mass storage device. In otherembodiments, the computing device 100 is a digital audio player such asthose manufactured by, for example, and without limitation, SamsungElectronics America of Ridgefield Park, N.J.; Motorola Inc. ofSchaumburg, Ill.; or Creative Technologies Ltd. of Singapore. In yetother embodiments, the computing device 100 is a portable media playeror digital audio player supporting file formats including, but notlimited to, MP3, WAV, M4A/AAC, WMA Protected AAC, AEFF, Audibleaudiobook, Apple Lossless audio file formats, and .mov, .m4v, and .mp4MPEG-4 (H.264/MPEG-4 AVC) video file formats.

In some embodiments, the computing device 100 comprises a combination ofdevices, such as a mobile phone combined with a digital audio player orportable media player. In one of these embodiments, the computing device100 is a device in the Motorola line of combination digital audioplayers and mobile phones. In another of these embodiments, thecomputing device 100 is a device in the IPHONE smartphone line ofdevices manufactured by Apple Inc. of Cupertino, Calif. In still anotherof these embodiments, the computing device 100 is a device executing theANDROID open source mobile phone platform distributed by the OpenHandset Alliance; for example, the device 100 may be a device such asthose provided by Samsung Electronics of Seoul, Korea, or HTCHeadquarters of Taiwan, R.O.C. In other embodiments, the computingdevice 100 is a tablet device such as, for example and withoutlimitation, the IPAD line of devices manufactured by Apple Inc.; thePLAYBOOK manufactured by Research In Motion; the CRUZ line of devicesmanufactured by Velocity Micro, Inc. of Richmond, Va.; the FOLIO andTHRIVE line of devices manufactured by Toshiba America InformationSystems, Inc. of Irvine, Calif.; the GALAXY line of devices manufacturedby Samsung; the HP SLATE line of devices manufactured byHewlett-Packard; and the STREAK line of devices manufactured by Dell,Inc. of Round Rock, Tex.

Some embodiments of the disclosed system and method involve the use ofcryptographic systems. A cryptographic system is a set of protocols oralgorithms whereby a data set, known as “plaintext,” which is coherentin a particular format readable for a person or machine, is converted toa related data set, known as “cyphertext,” which is typically notcoherent for any person or machine unless first converted back intoplaintext. The plaintext may be any set of data that may be stored orinterpreted by computing devices 100 as described above in connectionwith FIGS. 1A-1C. The plaintext may be a character array, such as astring of human-readable symbols. The plaintext may be an image file,such as a Joint Photographic Experts Group (“JPEG”) file. The plaintextmay be an audio file, such as a Moving Pictures Experts Group—AudioLayer III (“MP3”) file. The plaintext may be a video file, such as aMoving Pictures Experts Group (“MPEG”) file. The cryptographic systemmay translate the plaintext into cyphertext by performing one or moremathematical operations on the plaintext. The process of convertingplaintext into cyphertext is known as “encryption.” The cyphertext maybe referred to as “encrypted.” The cryptographic system may use anotherdataset called an “encryption key” to encrypt the plaintext. In oneembodiment, an encryption key is any data that enables a cryptographicsystem to encrypt plaintext into cyphertext. In some embodiments, thecryptographic system also includes a protocol for converting cyphertextback into plaintext. The process of converting the cyphertext back intoplaintext may be called “decryption.” A “decryption key” is any datathat enables a crypto system to decrypt cyphertext, producing itscorresponding plaintext.

In some cryptographic systems, known as “symmetric” cryptographicsystems, the decryption key is sufficiently similar to the encryptionkey that possession of either the decryption or encryption key triviallyenables a computing device 100 to determine the encryption or decryptionkey, respectively. The encryption and decryption keys in symmetriccryptographic systems may be kept secret, and shared only with personsor entities that the user of the cryptographic system wishes to be ableto decrypt the cyphertext. One example of a symmetric cryptographicsystem is AES, which arranges plaintext into matrices and then modifiesthe matrices through repeated permutations and arithmetic operationswith an encryption key. In embodiments of cryptographic systems that are“asymmetric,” either the encryption or decryption key cannot be readilydeduced without additional secret knowledge, even given the possessionof the corresponding decryption or encryption key, respectively; acommon example is a “public key cryptographic system,” in whichpossession of the encryption key does not make it practically feasibleto deduce the decryption key, so that the encryption key may safely bemade available to the public. An example of a public key cryptographicsystem is RSA, in which the encryption key involves the use of numbersthat are products of very large prime numbers, but the decryption keyinvolves the use of those very large prime numbers, such that deducingthe decryption key from the encryption key requires the practicallyinfeasible task of computing the prime factors of a number which is theproduct of two very large prime numbers.

Embodiments of the disclosed system and method create tokenscorresponding to the contents of textual messages, so that searchengines, including third-party search engines, may index a textualmessage, even if the body of the message is encrypted. Each word may becryptographically hashed so that the meaning of the word is notascertainable from the tokens; in addition, the tokens may be insertedas metadata in arbitrary order, and random additional tokens may beadded, greatly reducing the risk of correlative attacks and attacksbased on traffic analysis.

Referring now to FIG. 2A, a block diagram depicts one embodiment of asystem 200 for generating and searching probabilistically searchablemessages. In brief overview, the system 200 includes a computing device100. The computing device 100 may be a computing device 100 as describedabove in connection with FIGS. 1A-1C. In some embodiments, the system200 also includes a message parser 202 executing on the computing device100. The system also includes a message metadata generator 204 executingon the computing device 100. The system includes a search application220. The search application 220 includes a query metadata generator 206executing on the computing device 100. The search application 220further includes a query module 208 executing on the computing device100.

In one embodiment, the message parser 202 is provided as a softwareapplication. In another embodiment, the message parser 202 is providedas a hardware application. The message parser 202 may combine softwareand hardware elements. In some embodiments, the message parser 202 isconfigured to obtain a textual message and to extract a plurality ofwords from the textual message, as described in further detail below inconnection with FIG. 3A.

In one embodiment, a textual message is a set of textual data providedby a user of the computing device 100. In another embodiment, the userintends to send the textual message electronically from one computingdevice 100 to another computing device 100 b (not shown). Textual datamay include alphanumeric characters. Textual data may includealphanumeric strings. Textual data may include punctuation. Textual datamay include special characters, such as the “@” symbol. Textual data mayinclude characters from any writing system useable for therepresentation of any language. The textual message may be sent from onecomputing device 100 to another computing device 100 b using anyprotocol suitable for exchanging textual data between computing devicesas disclosed above in connection with FIGS. 1A-1C. The textual messagemay be, by way of example and without limitation, an electronic mailmessage (email), such as a message conveyed using the simple mailtransfer protocol (SMTP) or a message conveyed using the post officeprotocol (POP). The email may be drafted and/or transmitted using a Webemail application such as the GMAIL application produced by Google, Inc.of Mountain View, Calif., the YAHOO email application produced by Yahoo,Inc. of Sunnyvale, Calif., or the OUTLOOK webmail program produced byMicrosoft Corporation of Redmond, Wash.

In one embodiment, the message metadata generator 204 is provided as asoftware application. In another embodiment, the message metadatagenerator 204 is provided as a hardware application. The messagemetadata generator 204 may combine software and hardware elements. Insome embodiments, the message metadata generator 204 is configured tocryptographically hash each word of the plurality of words extracted bythe message parser 202 as described in further detail below inconnection with FIG. 3A

The message metadata generator 204 may cryptographically hash each wordusing a cryptographic hash function. In one embodiment, a hash functionis a function that maps an element of data having an arbitrary size toanother element of data having a fixed size. In some embodiments, acryptographic hash function is a hash function, converting a first dataelement commonly called a “message” to a second data element commonlycalled a “digest,” that is practically impossible to reverse. Thereversal of the cryptographic hash function may be computationallyinfeasible, requiring an impractically large number of computationalsteps to reverse using the capacity of currently available computingdevices. The cryptographic hash function may have the property ofpre-image resistance, guaranteeing that it is computationally hard tofind, for a particular digest, the message from which the cryptographichash function produced the digest. The cryptographic hash function mayhave the property of collision resistance, whereby it is difficult tofind a first and second message such that the digest produced from thefirst message is the same as the digest produced from the secondmessage; finding such a first and second message may be known as a“collision.” In some embodiments, to guarantee collision resistance, thedigest produced by the cryptographic hash function may be at least twiceas long as the length necessary to guarantee pre-image resistance. As anon-limiting example, the cryptographic function may be theMerkle-Damgård hash function (MD5). As another non-limiting example, thecryptographic hash function may be the Secure Hash Algorithm (SHA-1).

The cryptographic hash function may be a key hash function, whichcombines a message with a second data element whose contents are secretto other parties, known as a secret key, to produce a digest. In someembodiments, the cryptographic hash function is a message authenticationcode (MAC) hash function. The MAC hash may have the property that aperson who has sent a message of the person's choosing to be hashed bythe MAC algorithm and received the digest produced by that message inreturn cannot guess the digest produced for another message, if theperson does not possess the secret key. The MAC hash function may be akeyed-hash message authentication code (HMAC) function. In oneembodiment, an HMAC function is an MAC function that for a givencryptographic hash function H, a message M, a secret key K, a one-blocklong hexadecimal constant called ipad and a second one-block longhexadecimal constant called o_pad, makes K into the block length byeither padding K with zeroes or hashing K to reduce its length, hashingthe concatenation of K XOR i_pad with M to produce an intermediatedigest using H, then using H to hash the concatenation of K XOR o_padwith the intermediate digest to produce the final digest.

In some embodiments, the message metadata generator 204 is configured tomap each cryptographically hashed word to a plurality of tokens, as setforth in further detail below in connection with FIG. 3A. The messagemetadata generator 204 may be configured to generate a set of tokensassociated with the textual message, where the set of tokens includeseach plurality of tokens associated with each cryptographically hashedword, as set forth in further detail below in connection with FIG. 3A.

In some embodiments, the message metadata generator 204 is configured tofilter the set of tokens associated with the textual message. In one ofthese embodiments, the message metadata generator 204 uses a Bloomfilter (depicted in shadow in FIG. 2A as Bloom Filter 210). In someembodiments, a Bloom filter 210 is a data structure that stores setmembership information for potential set elements in a space-efficientmanner that eliminates false negative results while permitting a lowrate of false positive results that may be tuned by adjusting theparameters of the Bloom filter 210. In one embodiment, the Bloom filter210 is an array of bits that are initially all set to the same firstbinary value, such as “0”; an “array” may be any indexed physical orvirtual data store in which each stored element may be looked upuniquely by index number, and in which there is a fixed quantity of suchindex numbers. In one embodiment, a “bit” is anything in a physical orvirtual system that can store a single binary digit. In someembodiments, an element of data is added to a Bloom filter 210 byrunning some number k of hash functions, as defined above in connectionwith FIG. 2A, each of which maps the data element to some index in thearray; the insertion involves converting each bit to which each of the khash function maps the data element to a second binary value, such as“1.” Checking whether a second element is contained in the Bloom filter210 may involve performing the k hash functions on the second element,and checking whether each bit to which the second element maps undereach hash function has been converted to the second binary value; if anysuch bit has not been converted, the second element is certainly not inthe Bloom filter 210. If all of the bits have been converted, the secondelement may have been inserted in the Bloom filter 210; the secondelement may appear to have been inserted in the Bloom filter 210 when infact some other combination of elements was inserted, the combinationmapping to the complete set of bits to which the second data elementmaps, creating a false positive. The false positive rate as astatistical matter may be determined by the ratio of the number of bitsin the bit array to the number of elements in the set to be mapped tothe bit array.

The extraction of all elements from the Bloom filter 210 may beperformed by looking up each element that the hash functions map to eachcombination of k bits in the filter, for instance, by maintaining asecond data structure, such as a hash table dictionary of terms, whereeach hash is made up of a set of indices corresponding to a given dataelement using the hash functions. As a non-limiting example, each indexin the Bloom filter 210 may correspond to one element in the set of allpossible elements that may be inserted in the Bloom filter 210. Forinstance, an eight-bit Bloom filter 210 may have indices correspondingto the digits 0-1; as a result, a positive entry for the second indexmay lead to the digit “1” being extracted from the Bloom filter 210.Likewise, where an eight-bit Bloom filter 210 has indices mapped to theletters A-H, a positive entry for the second index may lead to theletter “B” being extracted from the Bloom filter 210. As a furtherexample, a Bloom filter 210 a having 32 bits, as illustrated in FIG. 2B,may map to the decimal digits 0-9 and the letters A-V; thus, an entry inthe fourth index 232 may lead to the extraction of the number “3,” whilean entry in the 24^(th) index 234 may lead to the extraction of theletter “N,” and the total extracted elements from the depicted Bloomfilter 210 a may be “1 3 7 9 B F H J N P R V.” In another embodiment, asillustrated in FIG. 2C, a Bloom filter 210 b corresponding to allpossible three-character codes using characters drawn from the digits0-9 and the letters A-Z has 3̂36 bits, each mapped to one three-charactercode, so that an entry at the 4^(th) index 236 causes the extraction ofthe code “003” and an entry at bit 2̂36 238 causes the extraction of thecode “ZZZ”; the total extracted elements as shown may be “001 003 007009 00B . . . 00F ZZT ZZV ZZZ.” The mapping of the indices tocorresponding elements may be in any order, including, withoutlimitation, a dictionary order, a random order, or an ordercorresponding to a character-encoding standard. In some embodiments,elements are extracted from the Bloom filter 210 by traversing the Bloomfilter 210 from its first index to its last index and extracting eachelement for which the corresponding index has an entry; the effect ofthe traversal may be to place the extracted elements in the order inwhich the elements are mapped to the Bloom filter 210 bits, such as adictionary order where the mapping is in dictionary order. The order ofthe extracted set of elements may not correspond to the order in whichthe elements were inserted into the Bloom filter 210. In otherembodiments, extraction of all elements from the Bloom filter 210 may beperformed by repeating all of the hash functions for every single termin a dictionary of terms, checking each element for inclusion in theBloom filter 210, and recording the ones determined to be included.

In some embodiments, the message metadata generator 204 is configured tostore the filtered set of tokens associated with the textual message inmetadata associated with the textual message. In one embodiment,metadata is information describing a set of data, such as the data in atextual message. Metadata may include information about when the textualmessage was created. Metadata may include information concerningidentifying the author of the textual message. Metadata may includekeywords or tokens that may be used to search for the textual message ina larger set of textual messages.

In one embodiment, the search application 220 is provided as a softwareapplication. In another embodiment, the search application 220 isprovided as a hardware application. The search application 220 maycombine software and hardware elements. In some embodiments, the searchapplication 220 is a “plug-in” that operates in conjunction with anapplication or service. For instance, the search application 220 may bea plug-in that is executed by the computing device 100 within a webbrowser as described above in connection with FIGS. 1A-1C.

In one embodiment, the query metadata generator 206 is provided as asoftware application. In another embodiment, the query metadatagenerator 206 is provided as a hardware application. The query metadatagenerator 206 may combine software and hardware elements. In someembodiments, the query metadata generator 206 is configured to obtain atextual query; to extract, from the textual query, at least one word; tocryptographically hash the at least one word; to map thecryptographically hashed at least one word to a plurality of tokens; andto generate a set of tokens associated with the query, the set of tokensincluding each plurality of tokens associated with eachcryptographically hashed word, as set forth in further detail below inconnection with FIG. 3A.

In one embodiment, the query module 208 is provided as a softwareapplication. In another embodiment, the query module 208 is provided asa hardware application. The query module 208 may combine software andhardware elements. In some embodiments, the query module 208 isconfigured to receive, from a search engine 212, at least one textualmessage including metadata including the plurality of tokens.

In one embodiment, a search engine 212 is a software or hardwareapplication designed to receive a data element (which may be referred toas a query) and to locate, in a set of data objects, one or more dataobjects associated with data containing at least one part of the query.A data object may be associated with data containing at least one partof the query if the data object contains the data. A data object may beassociated with data containing at least one part of the query if thedata object is associated with metadata containing at least one part ofthe query. In some embodiments, the search engine 212 returns only dataobjects associated with data containing all of the contents of thequery. For some portions of the query, the search engine 212 may returnonly data objects associated with data containing the contents of thoseportions in the order presented; for instance, the search engine 212 maysearch for exact phrases matching a particular phrase included in thequery in quotation marks. In other embodiments, the search engine 212ignores the order of query contents within the data objects searched,and checks for the presence of the query contents in data associatedwith the data objects.

The search engine 212 may be designed to search a single computingdevice. The search engine 212 may be designed to operate on onecomputing device while searching another remote device. The searchengine 212 may be designed to search a network of devices; for instance,some search engines 212, known as web search engines, are designed tosearch the Internet for content relevant to the query. Other searchengines search the contents of a particular data store located on one ormore devices; for instance, a search engine 212 may be designed tosearch the contents of a user's email account for messages matching aquery. The data store may be kept in local memory, memory on a remotemachine or cloud service, or some combination of local and remotestorage.

The search engine 212 may be located on the computing device 100. Thesearch engine 212 may be located on one or more remote devices. In someembodiments, the search engine 212 is a third-party product produced bya company specializing in search engines 212; examples are the GOOGLEsearch engine manufactured by Google, Inc. of Mountain View, Calif. andthe BING search engine manufactured by Microsoft Corporation of Redmond,Wash. In some embodiments, a search engine designed to search athird-party email provider is included in the suite of features providedwith the email service. For instance, the GMAIL email service,manufactured by Google, Inc. of Mountain View, Calif., may includesearch functionality also produced by Google, Inc. In other embodiments,a third-party email provider uses search functionality manufactured byan additional entity to search the third-party email contents for auser.

Although for ease of discussion the message parser 202, message metadatagenerator 204, query metadata generator 206, and query module 208 aredescribed as separate modules, it should be understood that this doesnot restrict the architecture to a particular implementation. Forinstance, these modules may be encompassed by a single circuit orsoftware function.

Referring now to FIG. 3A, a flow diagram depicts one embodiment of amethod 300 for generating probabilistically searchable messages. Inbrief overview, the method includes obtaining, by a computing device, atextual message (302). The method 300 includes extracting, by thecomputing device, from the textual message, a plurality of words (304).The method 300 includes cryptographically hashing, by the computingdevice, each word of the plurality of words (306). The method 300includes mapping, by the computing device, each cryptographically hashedword to a plurality of tokens (308). The method 300 includes generating,by the computing device, a set of tokens associated with the textualmessage, the set of tokens including each plurality of tokens associatedwith each cryptographically hashed word (310). The method 300 includesstoring, by the computing device, the filtered set of tokens associatedwith the textual message in metadata associated with the textual message(312).

Referring still to FIG. 3A in greater detail, and in connection withFIG. 2A, the message parser 202 obtains a textual message (302). In someembodiments, a user of the computing device 100 enters the textualmessage; for instance, the user may type the textual message on akeyboard 126 as disclosed above in connection with FIGS. 1A-1C. In someembodiments, the user composes the textual message within an applicationexecuting on the computing device. For example, the user may compose anew email message in an email application executing on the computingdevice. The user may compose a new message on a webmail applicationoperating within a web browser, as described above in connection withFIGS. 1A-1C. The user may compose a new message using any toolsavailable for creating a textual document on a computing device. Thetextual message may be created in response to another message; forinstance, the user may reply to an email from another user. The textualmessage may contain the text of an earlier message to which the textualmessage is a reply. In one embodiment, the message parser 202 isprovided as a plug-in to a webmail application. In another embodiment,the message parser 202 receives the textual message when a user enters acommand to the webmail application; for example, when the user enters,via a user interface element, an instruction to send the message (e.g.,by clicking on a user interface element, such as a button, labeled“send”), the message parser 202 may intercept the instruction to sendthe message and access the textual message. As another example, when adraft of the message is saved (either automatically by the webmailapplication or upon receiving an instruction from the user), the messageparser 202 may access the textual message.

In some embodiments, the message parser 202 converts the textual messagefrom its original form into a plain text form; that is, the system maynormalize the obtained textual message into plain text. For example, ifthe textual message is originally in hypertext markup language (HTML)format, the message parser 202 may normalize the textual message toplaintext; for instance, the message parser 202 may remove HTML tags,scripting language, style sheet references, and other elements besidesthe textual data contained in the textual message. Likewise, the messageparser 202 may remove tags from an extensible markup language (XML)document to produce a plain text version. The message parser 202 mayinclude textual data from fields other than the main message body of themessage; for instance, the message parser 202 may include text from anemail address field in the textual document. The message parser 202 mayinclude text from an email subject field in the textual document. Insome embodiments, the message parser 202 converts each word in thetextual message into lower-case form.

The message parser 202 extracts a plurality of words from the textualmessage (304). In some embodiments, the message parser extracts theplurality of words by tokenizing the textual message. FIG. 3B is ascreen-shot of a textual message for tokenization 320 in one embodiment.In an embodiment, the message parser 202 identifies at least oneseparator character 322; for instance, separator characters 322 mayinclude whitespace, such as carriage returns or the spaces place betweenwords, punctuation, such as periods, and some special characters such asampersands. The message parser 202 may identify separator characters 322by searching for one or more regular expressions 324 in the textualmessage 320. In one embodiment, a regular expression is a sequence ofcharacters used for searching and pattern matching on the computingdevice 100. The regular expression may combine one or more characters orstring literals to search for in a textual message with one or moremeta-characters that describe patterns to search for; as a non-limitingexample, the meta-character “\W” may instruct the computing device 100to search for non-alphanumeric characters. The regular expression 324may search for non-word characters. The message parser 202 may identifyany non-empty string of characters 326 between any two-separatorcharacters 322 as a word to be extracted. For example, the firstsentence in the textual message 320 shown in FIG. 3B may be identifiedby the message parser 202 as containing the words “Edit,” “the,”“Expression,” “Text,” “to,” “see,” and “matches,” given what theseparator characters 322 illustrate. The message parser 202 may saveextracted words in a data structure such as a table, a linked list, atree, a vector, an array, or any other form or type of data structure.As is well known to one of ordinary skill in the art, a regularexpression is composed of e sets of characters combined withconcatenation and repetition operators, which create a specification formatching sequences of characters in a text.

Referring back to FIG. 3A, the message metadata generator 204cryptographically hashes each word of the plurality of words (306). Insome embodiments, the message metadata generator 204 cryptographicallyhashes each word using a cryptographic hash function as described abovein connection with FIG. 2A. The message metadata generator 204 may use acryptographic hash function with a large enough output digest size torender the probability of collisions substantially small; for instance,the digest size produced by the cryptographic hash function may be atleast 256 bits. In some embodiments, the message metadata generator 204cryptographically hashes each word using a key hash function. The keyhash function may be a key hash function as described above inconnection with FIG. 2A. In some embodiments, the message metadatagenerator 204 cryptographically hashes each word using a MAC key hashfunction. In other embodiments, the message metadata generator 204cryptographically hashes each word using an HMAC key hash function. Themessage metadata generator 204 may use the same hash function for everyword from every message belonging to a particular user account; forinstance, the message metadata generator 204 may request a secret keyfrom a user of a particular email account on one occasion, and thenconsistently use that secret key thereafter. In one embodiment, thisleads to each word regularly hashing to the same digest.

The message metadata generator 204 maps each cryptographically hashedword to a plurality of tokens (308). In some embodiments, each of theplurality of tokens is smaller than the digest of the cryptographicallyhashed word; for instance, each token may be a three-character token.The message metadata generator 204 may map the cryptographically hashedwords to the tokens in a consistently reproducible manner. As anexample, the message metadata generator 204 may maintain a datastructure linking each cryptographically hashed word to itscorresponding plurality of tokens. In other embodiments, the messagemetadata generator 204 ensures consistently reproducible production oftokens by using the same process to produce the tokens from eachcryptographically hashed word; for instance, the message metadatagenerator 204 may perform the same mathematical operation on eachcryptographically hashed word every time the message metadata generator204 produces the tokens, thus ensuring that the same cryptographicallyhashed word produces the same tokens on a consistent basis. As anon-limiting example, if the cryptographically hashed word is a 256-bitstring, the message metadata generator 204 may divide the string into 832-bit segments, calculate the modulus of each of the 32-bit segmentswith a randomly chosen number, and use each result as a pointer to adictionary of tokens. In some embodiments, message metadata generator204 uses the same randomly chosen number for all cryptographicallyhashed words, to ensure that each cryptographically hashed word willconsistently map to the same set of tokens. In some embodiments, eachtoken is three characters long, and each cryptographically hashed wordis mapped to three tokens; thus while the probability that a differentcryptographically hashed word will share one token with a givencryptographically hashed word from the message is moderately low, theprobability that the words will share all three tokens is far lower.

The message metadata generator 204 generates a set of tokens associatedwith the textual message, the set of tokens including each plurality oftokens associated with each cryptographically hashed word (310). In someembodiments, the message metadata generator 204 stores all of the tokensassociated with all of the cryptographically hashed words from thetextual message in a data structure, such as a linked list. In someembodiments, the message metadata generator 204 adds each token to thedata structure when the token is mapped from a cryptographically hashedword, so that the generation of the set of tokens associated with thetextual message occurs at substantially the same time as the mapping ofeach cryptographically hashed word to its corresponding plurality oftokens. In some embodiments, the message metadata generator 204 insertseach token into the Bloom filter 210, as described below, when the tokenis mapped from a cryptographically hashed word; in other words, theBloom filter 210 may serve as the data structure used to generate theset of all tokens associated with the textual message.

The message metadata generator 204 stores the set of tokens associatedwith the textual message in metadata associated with the textual message(314). In some embodiments, the set of tokens is inserted into the bodyof the textual message; for instance, the set of tokens may be appendedto the end of the textual message. The set of tokens may be insertedinto a field of the textual message typically used for metadata; forinstance, where the textual message is an email, the set of tokens maybe inserted in the header of the email. In some embodiments, the textualmessage with the added tokens is stored where the similar textualmessages are typically stored; for instance, if the textual message isan email, it may be stored under the appropriate folder within a user'suser account, such as a folder for sent messages, or a folder fordrafts. A search engine 212 may index the textual message using theinserted metadata; for instance, the search engine 212 may be athird-party search engine associated with an email service, as describedabove in connection with FIG. 2A.

In some embodiments, the system 200 includes functionality foroptimizing the tokens. For example, the message metadata generator 204may eliminate duplicate tokens from the set of tokens associated withthe textual message. In other embodiments, the system 200 includesfunctionality for improving the security of the tokens. As an example,the message metadata generator 204 may reorder the set of tokens into adifferent order than the order in which the tokens were derived from theextracted words. The new order may be random. In some embodiments, themessage metadata generator 204 filters the set of tokens associated withthe textual message, using a Bloom filter 210. In some embodiments, themessage metadata generator 204 filters the set of tokens by insertingeach token into the Bloom filter 210 then extracting all tokens from theBloom filter 210 once they have all been inserted. The message metadatagenerator 204 may insert each token into the Bloom filter 210 asdescribed above in connection with FIG. 2A. In some embodiments, themessage metadata generator 204 applies three hash functions to eachtoken, mapping each token to three bits in the Bloom filter 210. TheBloom filter 210 may have a large number of bits to avoid falsepositives; in one embodiment, the number of bits in the Bloom filter 210is 3̂36. The message metadata generator 204 may extract all tokens fromthe Bloom filter 210 as described above in connection with FIG. 2A.

Filtering the tokens using the Bloom filter 210 may eliminate duplicatetokens from the set of tokens. For instance, if the original textualmessage included the phrase “my car is the red car,” the set of tokensassociated with the textual message may include the tokens associatedwith “car” twice, prior to filtering; after extraction from the Bloomfilter 210, only one set of tokens associated with the word “car” mayremain in the set of tokens. In addition, the extraction process fromthe Bloom filter 210 may not preserve the order in which the tokens wereinserted into the Bloom filter 210, so that the tokens extracted do notreveal the order of the words in the original textual message;furthermore, the tokens from each word may not be extractedconsecutively.

The system 200 may optimize the tokens by modifying the plurality ofextracted words prior to mapping the extracted words to tokens. Forinstance, the message metadata generator 204 may eliminate duplicatewords from the plurality of extracted words. The message metadatagenerator 204 may eliminate duplicate words from the plurality ofcryptographically hashed words. The message metadata generator 204 mayreorder the plurality of extracted words, either randomly or byreference to an index. The message metadata generator 204 may reorderthe plurality of cryptographically hashed words. In some embodiments,the message metadata generator 204 filters the plurality of words usinga Bloom filter 210; the filtering may occur with the extracted words orwith the cryptographically hashed words. In some embodiments, themessage metadata generator 204 filters the plurality of words byinserting each word into the Bloom filter 210 then extracting all wordsfrom the Bloom filter 210 once they have all been inserted. The messagemetadata generator 204 may insert each word into the Bloom filter 210 asdescribed above in connection with FIG. 2A. In some embodiments, themessage metadata generator 204 applies three hash functions to eachword, mapping each word to three bits in the Bloom filter 210. The Bloomfilter 210 may have a large number of bits to avoid false positives; inone embodiment, the number of bits in the Bloom filter 210 is 3̂36. Themessage metadata generator 204 may extract all words from the Bloomfilter 210 as described above in connection with FIG. 2A.

In some embodiments, the message metadata generator 204 inserts eachtoken into the Bloom filter 210 when the token is mapped from acryptographically hashed word; in other words, the Bloom filter 210 mayserve as the data structure used to generate the set of all tokensassociated with the textual message.

FIG. 3C illustrates an embodiment of the method 300. In someembodiments, a message 332 in HTML format is converted to plaintextformat 334; words 336 extracted from the plaintext message 334 bytokenizing the message 334 are cryptographically hashed to producedigests 338. The message metadata generator 204 may map eachcryptographically hashed word 338 to a set of three-letter tokens 340(e.g., one set of tokens per word), which are then optionally insertedinto the Bloom filter 210; the three-letter tokens may be taken from abase-36 character set including the digits from 0-9 and the 26 lettersof the English alphabet, yielding 36̂3 possible three-letter tokens. Insome embodiments, the message metadata generator 204 adds at least onerandom entry 342 to the Bloom filter 210, to ensure a desiredfalse-positive rate. The set of three-letter tokens 344 for insertion inthe metadata may be extracted from the Bloom filter 210. In someembodiments, the addition of random entries to the Bloom filter 210helps to protect against traffic analysis and correlation attacks; whilethe same tokens may be present in two messages that contain one or morewords, even two identical messages may have different randomly selectedtokens, so that comparing multiple messages to detect patterns in tokengeneration is largely fruitless. As an example, the message metadatagenerator 204 may add sufficient tokens to the Bloom filter to result ina total of 4,000 tokens per textual message. In some embodiments, the“noise” tokens 342 added to the Bloom filter 210 increases the falsepositive rate; the Bloom filter 210 size, and the number of “noise”insertions may be selected to produce a low false-positive rate whileintroducing enough noise to frustrate correlation attacks.

In some embodiments, the computing device 100 sends the textual messageto another computing device 100 b; for instance, where the textualmessage is an email, the textual message may be sent to its recipient.In some embodiments, the tokens are removed from the metadata associatedwith the textual message prior to the textual message being sent; a copyof the textual message containing the metadata may be retained, forinstance in a “sent mail” folder belonging to a sending user's emailaccount. In other embodiments, the textual message as sent retains thetokens in metadata associated with the textual message. In someembodiments, the cryptographic hashing and token mapping processes makeit difficult for the recipient, or an intercepting party, to gaininformation concerning the textual message from the tokens.

In some embodiments, the computing device 100 encrypts the textualmessage. The computing device 100 may encrypt the textual message usinga cryptographic system as described above in connection with FIG. 2A.The computing device 100 may encrypt the body of the textual message butnot the inserted tokens, permitting a search engine 212 to index thetextual message using the tokens. As an example, FIG. 3D illustrates anembodiment of a textual message 350 that is being sent with insertedtokens. The textual message 350 may have a header 352, such as amulti-purpose Internet mail extension (MIME) header containing metadatadescribing the textual message; the header 352 may describe the date andtime the message was sent. The header 352 may describe the sending andrecipient accounts. The header 352 may describe the protocol accordingto which the textual message was conveyed. In some embodiments, thetokens 354 are inserted in the textual message after the header 352, butbefore the message body 356. The message body 356 may be encrypted; forinstance, the message body 356 may be encrypted using a symmetric-keyencryption system. The textual message 350 may also include anunencrypted introduction 358. The introduction 358 may containinformation indicating that the message was encrypted. The introduction358 may contain information concerning a service that performed theencryption.

In some embodiments, the methods and systems described above alsoprovide functionality for allowing a user to later search for a textualmessage containing one or more key words in a secure manner. By way ofexample, and as will be described in further detail below in connectionwith FIG. 4, the method 300 may include: obtaining, by a computingdevice, a textual query; extracting, by the computing device, from thetextual query, at least one word; cryptographically hashing, by thecomputing device, the at least one word; mapping, by the computingdevice, the cryptographically hashed at least one word to a plurality oftokens; generating, by the computing device, a set of tokens associatedwith the textual query, the set of tokens including each plurality oftokens associated with each cryptographically hashed word; andreceiving, by the computing device, from a search engine, at least onetextual message including metadata comprising the set of tokens. Themethod may include providing, to the user, the received textual message.For example, in an embodiment in which the user entered the textualquery into a user interface for searching previously generated, sent, orreceived documents, messages, or textual data of any kind, the systemmay display to the user a response to the query including the receivedtextual message.

Referring now to FIG. 4, a flow diagram depicts one embodiment of amethod 400 for searching probabilistically searchable messages. In briefoverview, the method includes obtaining, by a computing device, atextual query (402). The method 400 includes extracting, by thecomputing device, from the textual query, at least one word (404). Themethod 400 includes cryptographically hashing, by the computing device,the at least one word (406). The method 400 includes mapping, by thecomputing device, the cryptographically hashed at least one word to aplurality of tokens (408). The method 400 includes generating, by thecomputing device, a set of tokens associated with the textual query, theset of tokens including each plurality of tokens associated with eachcryptographically hashed word (410). The method 400 includes receiving,by the computing device, from a search engine, at least one textualmessage including metadata comprising the set of tokens (412).

Referring still to FIG. 4 in greater detail, and in connection with FIG.2A, the query metadata generator obtains a textual query (402). In someembodiments, a user enters the search query on the computing device 100;for instance, the user may enter the search query using a keyboard 126as described above in connection with FIGS. 1A-1C. In some embodiments,where the search application 220 operates as a plug-in, the userattempts to enter a textual query in a search field provided by adifferent application from the search application 220, and the searchapplication 220 intercepts the search entry; for example, the user maybe searching email in a webmail application that provides a searchengine 212 for searching one or more folders in a user's email account,and the user may type text the user wishes to search for in a text entryfield associated with the search engine 212. Continuing the example, thesearch application 220 may receive the user's text entry instead of thesearch engine 212, remove the entry from the entry field before the useris able to execute the search; the search application 220 may convertthe user's text entry into tokens as further described below inconnection with FIG. 4, and provide a query containing the tokens to thesearch engine 212. In other embodiments, the search application 220includes a user interface (not shown) that prompts the user to enter asearch query.

The query metadata generator 206 extracts at least one word from thetextual query (404). In some embodiments, this is implemented asdescribed above in connection with FIGS. 3A-3C.

The query metadata generator 206 cryptographically hashes the at leastone word (406). In some embodiments, this is implemented as describedabove in connection with FIGS. 3A-3C. The query metadata generator 206may use the same cryptographic hash function to produce thecryptographically hashed at least one word that the message metadatagenerator 204 uses to hash words extracted from messages, as describedabove in connection with FIGS. 3A-3C; for instance, where the messagemetadata generator 204 uses an HMAC key hash, the query metadatagenerator 206 may use the same HMAC key hash, with the same key.

The query metadata generator 206 maps the cryptographically hashed atleast one word to a plurality of tokens (408). In some embodiments, thisis implemented as described above in connection with FIGS. 3A-3C. Thequery metadata generator 206 may use the same mapping that the messagemetadata generator 204 uses to map cryptographically hashed words tokeys, so that a word from the query is mapped to the same tokens towhich the same word from the textual message is mapped.

The query metadata generator 206 generates a set of tokens associatedwith the textual query, the set of tokens including each plurality oftokens associated with each cryptographically hashed word (410). In someembodiments, this is implemented as described above in connection withFIG. 3A.

The query module 208 receives, from a search engine 212, at least onetextual message including metadata including the set of tokens (412).The query module 208 may create a search query that contains the set oftokens. In some embodiments, the messages that the search engine 212searches for the queries are probabilistically searchable messages asdescribed above in connection with FIGS. 3A-3C. In some embodiments, thetokens added to metadata associated with the textual message by themessage metadata generator 204 as described above in connection withFIGS. 3A-3C are text strings, as shown in FIG. 3C, and thus may beindexed and searched by search engines 212 in the same manner as otherstrings. Similarly, the set of tokens generated by the query metadatagenerator 206 may be text strings search engines can use in searchqueries in the same manner as other strings. As a result, a search forthe search query made up of tokens generated from the query may produceall messages containing the words contained in the query. The querymodule 208 may include at least one word from the originally obtainedtextual query in the search query; for instance, the query module 208may produce a search query that searches for either the tokens or thetextual query. As a non-limiting example, where the search is a Booleansearch, the textual query is ‘hello, World,’ and the tokens producedfrom the textual query are ‘00b 5c1 7uw 9rz b21 z9z zx3,’ the querymodule 208 may create a search query for “‘hello, World’ OR ‘00b 5c1 7uw9rz b21 z9z zx3.’”

In some embodiments, the use of noise insertion in producing theprobabilistically searchable message as described above in connectionwith FIGS. 3A-3C gives rise to a small probability of false positiveresults; as described above in connection with FIGS. 3A-3C, the Bloomfilter 210 may be chosen with sufficient size to make false positiveresults unlikely. In some embodiments, the received message isencrypted; in some embodiments, the computing device 100 decrypts thereceived message as described above in connection with FIG. 2A. Theencrypted received message may contain unencrypted portions such as anunencrypted MIME header or a set of search tokens, as described above inconnection with FIGS. 3A-3D.

Embodiments of the disclosed system and methods produce and searchprivacy-preserving searchable textual messages. By using randomlyselected tokens inserted with tokens corresponding to words from atextual message into an appropriately-sized Bloom filter 210,embodiments of the above method ensure that false negative searchresults are eliminated, false positive search results are minimized, andcorrelations between individual tokens and their originating words arepractically infeasible to detect. Embodiments of the disclosed systemand methods enable users to take advantage of third-party search enginesto index and search encrypted messages without compromising the securityof the encrypted messages. Although described in the context of messagesthat are exchanged between computer users, such as electronic mailmessages, it should be understood that the methods and systems describedherein may be applied to searching any type or form of text, includingwithout limitation, documents, presentations, spreadsheets, or othertext-based materials that a user may wish to both encrypt and latersearch for and identify using conventional search techniques.

It should be understood that the systems described above may providemultiple ones of any or each of the described components and thesecomponents may be provided on either a standalone machine or, in someembodiments, on multiple machines in a distributed system. The phrases‘in one embodiment,’ ‘in another embodiment,’ and the like, generallymean the particular feature, structure, step, or characteristicfollowing the phrase is included in at least one embodiment of thepresent disclosure and may be included in more than one embodiment ofthe present disclosure. Such phrases may, but do not necessarily, referto the same embodiment.

The systems and methods described above may be implemented as a method,apparatus, or article of manufacture using programming and/orengineering techniques to produce software, firmware, hardware, or anycombination thereof. The techniques described above may be implementedin one or more computer programs executing on a programmable computerincluding a processor, a storage medium readable by the processor(including, for example, volatile and non-volatile memory and/or storageelements), at least one input device, and at least one output device.Program code may be applied to input entered using the input device toperform the functions described and to generate output. The output maybe provided to one or more output devices.

Each computer program within the scope of the claims below may beimplemented in any programming language, such as assembly language,machine language, a high-level procedural programming language, or anobject-oriented programming language. The programming language may, forexample, be LISP, PROLOG, PERL, C, C++, C#, JAVA, or any compiled orinterpreted programming language.

Each such computer program may be implemented in a computer programproduct tangibly embodied in a machine-readable storage device forexecution by a computer processor. Method steps of the invention may beperformed by a computer processor executing a program tangibly embodiedon a computer-readable medium to perform functions of the invention byoperating on input and generating output. Suitable processors include,by way of example, both general and special purpose microprocessors.Generally, the processor receives instructions and data from a read-onlymemory and/or a random access memory. Storage devices suitable fortangibly embodying computer program instructions include, for example,all forms of computer-readable devices; firmware; programmable logic;hardware (e.g., integrated circuit chip, electronic devices, acomputer-readable non-volatile storage unit, non-volatile memory, suchas semiconductor memory devices, including EPROM, EEPROM, and flashmemory devices); magnetic disks such as internal hard disks andremovable disks; magneto-optical disks; and CD-ROMs. Any of theforegoing may be supplemented by, or incorporated in, specially-designedASICs (application-specific integrated circuits) or FPGAs(Field-Programmable Gate Arrays). A computer can generally also receiveprograms and data from a storage medium such as an internal disk (notshown) or a removable disk. These elements will also be found in aconventional desktop or workstation computer as well as other computerssuitable for executing computer programs implementing the methodsdescribed herein, which may be used in conjunction with any digitalprint engine or marking engine, display monitor, or other raster outputdevice capable of producing color or gray scale pixels on paper, film,display screen, or other output medium. A computer may also receiveprograms and data (including, for example, instructions for storage onnon-transitory computer-readable media) from a second computer providingaccess to the programs via a network transmission line, wirelesstransmission media, signals propagating through space, radio waves,infrared signals, etc.

Having described certain embodiments of methods and systems forgenerating probabilistically searchable messages, it will now becomeapparent to one of skill in the art that other embodiments incorporatingthe concepts of the disclosure may be used. Therefore, the disclosureshould not be limited to certain embodiments, but rather should belimited only by the spirit and scope of the following claims.

What is claimed is:
 1. A computer-implemented method for generatingprobabilistically searchable messages, the method comprising: obtaining,by a computing device, a textual message; extracting, by the computingdevice, from the textual message, a plurality of words;cryptographically hashing, by the computing device, each word of theplurality of words; mapping, by the computing device, eachcryptographically hashed word to a plurality of tokens; generating, bythe computing device, a set of tokens associated with the textualmessage, the set of tokens including each plurality of tokens associatedwith each cryptographically hashed word; and storing, by the computingdevice, a filtered set of tokens associated with the textual message inmetadata associated with the textual message.
 2. The method of claim 1further comprising normalizing the obtained textual message into plaintext.
 3. The method of claim 1, wherein cryptographically hashingfurther comprises hashing each word using a key hash function.
 4. Themethod of claim 1, wherein mapping further comprises maintaining a datastructure linking each cryptographically hashed word to itscorresponding plurality of tokens.
 5. The method of claim 1 furthercomprising filtering, by the computing device, the set of tokensassociated with the textual message, using a Bloom filter.
 6. The methodof claim 5, wherein filtering further comprises adding at least onerandomly-generated token to the Bloom filter.
 7. The method of claim 5,wherein filtering further comprises eliminating at least one duplicatetoken from the set of tokens.
 8. The method of claim 5, whereinfiltering further comprises adding at least one random entry to theBloom filter.
 9. The method of claim 1 further comprising eliminating atleast one duplicate word from the plurality of cryptographically hashedwords.
 10. The method of claim 1 further comprising inserting the set oftokens into the textual message.
 11. The method of claim 1 furthercomprising encrypting, by the computing device, the textual message. 12.The method of claim 1 further comprising sending the textual message toa second computing device.
 13. The method of claim 1 further comprising:obtaining, by the computing device, a textual query; extracting, by thecomputing device, from the textual query, at least one word;cryptographically hashing, by the computing device, the at least oneword; mapping, by the computing device, the cryptographically hashed atleast one word to a plurality of tokens; generating, by the computingdevice, a set of tokens associated with the textual query, the set oftokens including each plurality of tokens associated with eachcryptographically hashed word; and receiving, by the computing device,from a search engine, the textual message including metadata comprisingthe set of tokens.
 14. The method of claim 12 further comprisingproviding, to a user, the received textual message.
 15. A system forgenerating probabilistically searchable messages, the system comprising:a computing device; a message parser, executing on the computing device,obtaining a textual message, and extracting, from the textual message, aplurality of words; and a message metadata generator, executing on thecomputing device, cryptographically hashing each word of the pluralityof words, mapping each cryptographically hashed word to a plurality oftokens, generating a set of tokens associated with the textual message,the set of tokens including each plurality of tokens associated witheach cryptographically hashed word, and storing the set of tokensassociated with the textual message in metadata associated with thetextual message.
 16. A method for searching probabilistically searchablemessages, the method comprising: obtaining, by a computing device, atextual query; extracting, by the computing device, from the textualquery, at least one word; cryptographically hashing, by the computingdevice, the at least one word; mapping, by the computing device, thecryptographically hashed at least one word to a plurality of tokens;generating, by the computing device, a set of tokens associated with thetextual query, the set of tokens including each plurality of tokensassociated with each cryptographically hashed word; and receiving, bythe computing device, from a search engine, at least one textual messageincluding metadata comprising the set of tokens.
 17. The method of claim16, wherein cryptographically hashing further comprises hashing eachword using a key hash function.
 18. The method of claim 16 furthercomprising providing, by the computing device, to the user, the at leastone textual message.
 19. The method of claim 18, wherein providingfurther comprises displaying, by the computing device, to the user, theat least one textual message in response to the textual query.
 20. Asystem for searching probabilistically searchable messages, the systemcomprising: a computing device; a query metadata generator executing onthe computing device, obtaining a textual query, extracting, from thetextual query, at least one word, cryptographically hashing the at leastone word, mapping the cryptographically hashed at least one word to aplurality of tokens, and generating a set of tokens associated with thetextual query, the set of tokens including each plurality of tokensassociated with each cryptographically hashed word; and a query module,executing on the computing device and receiving, from a search engine,at least one textual message including metadata comprising the set oftokens.